From ac311e1b39f891ba3c137f6203981c491639bec3 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 2 Jun 2014 10:14:26 +0200 Subject: [PATCH] [ticket/12352] Do not check hashes that don't have the necessary length This should significantly reduce the time spent on checking hashes of passwords that should be converted. PHPBB3-12352 --- phpBB/phpbb/passwords/driver/bcrypt_wcf2.php | 2 +- phpBB/phpbb/passwords/driver/md5_mybb.php | 2 +- phpBB/phpbb/passwords/driver/md5_vb.php | 2 +- phpBB/phpbb/passwords/driver/sha1.php | 2 +- phpBB/phpbb/passwords/driver/sha1_smf.php | 2 +- phpBB/phpbb/passwords/driver/sha1_wcf1.php | 2 +- phpBB/phpbb/passwords/driver/sha_xf1.php | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php b/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php index fe6e36406e..f706c7af69 100644 --- a/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php +++ b/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php @@ -65,7 +65,7 @@ class bcrypt_wcf2 extends base */ public function check($password, $hash, $user_row = array()) { - if (empty($hash)) + if (empty($hash) || strlen($hash) != 60) { return false; } diff --git a/phpBB/phpbb/passwords/driver/md5_mybb.php b/phpBB/phpbb/passwords/driver/md5_mybb.php index dceffe8e68..0745bceb5e 100644 --- a/phpBB/phpbb/passwords/driver/md5_mybb.php +++ b/phpBB/phpbb/passwords/driver/md5_mybb.php @@ -47,7 +47,7 @@ class md5_mybb extends base */ public function check($password, $hash, $user_row = array()) { - if (empty($hash) || !isset($user_row['user_passwd_salt'])) + if (empty($hash) || strlen($hash) != 32 || !isset($user_row['user_passwd_salt'])) { return false; } diff --git a/phpBB/phpbb/passwords/driver/md5_vb.php b/phpBB/phpbb/passwords/driver/md5_vb.php index e15680222d..440b9e39e9 100644 --- a/phpBB/phpbb/passwords/driver/md5_vb.php +++ b/phpBB/phpbb/passwords/driver/md5_vb.php @@ -47,7 +47,7 @@ class md5_vb extends base */ public function check($password, $hash, $user_row = array()) { - if (empty($hash) || !isset($user_row['user_passwd_salt'])) + if (empty($hash) || strlen($hash) != 32 || !isset($user_row['user_passwd_salt'])) { return false; } diff --git a/phpBB/phpbb/passwords/driver/sha1.php b/phpBB/phpbb/passwords/driver/sha1.php index 35df1ebe96..5d6c93f6a8 100644 --- a/phpBB/phpbb/passwords/driver/sha1.php +++ b/phpBB/phpbb/passwords/driver/sha1.php @@ -47,6 +47,6 @@ class sha1 extends base */ public function check($password, $hash, $user_row = array()) { - return $hash === sha1($password); + return (strlen($hash) == 40) ? $hash === sha1($password) : false; } } diff --git a/phpBB/phpbb/passwords/driver/sha1_smf.php b/phpBB/phpbb/passwords/driver/sha1_smf.php index 6cc0841f4d..3e3322d77f 100644 --- a/phpBB/phpbb/passwords/driver/sha1_smf.php +++ b/phpBB/phpbb/passwords/driver/sha1_smf.php @@ -46,6 +46,6 @@ class sha1_smf extends base */ public function check($password, $hash, $user_row = array()) { - return $hash === $this->hash($password, $user_row); + return (strlen($hash) == 40) ? $hash === $this->hash($password, $user_row) : false; } } diff --git a/phpBB/phpbb/passwords/driver/sha1_wcf1.php b/phpBB/phpbb/passwords/driver/sha1_wcf1.php index 77168e70eb..04a69705e9 100644 --- a/phpBB/phpbb/passwords/driver/sha1_wcf1.php +++ b/phpBB/phpbb/passwords/driver/sha1_wcf1.php @@ -47,7 +47,7 @@ class sha1_wcf1 extends base */ public function check($password, $hash, $user_row = array()) { - if (empty($hash) || !isset($user_row['user_passwd_salt'])) + if (empty($hash) || strlen($hash) != 40 || !isset($user_row['user_passwd_salt'])) { return false; } diff --git a/phpBB/phpbb/passwords/driver/sha_xf1.php b/phpBB/phpbb/passwords/driver/sha_xf1.php index 08b8cecaf3..7ae0b90f51 100644 --- a/phpBB/phpbb/passwords/driver/sha_xf1.php +++ b/phpBB/phpbb/passwords/driver/sha_xf1.php @@ -47,7 +47,7 @@ class sha_xf1 extends base */ public function check($password, $hash, $user_row = array()) { - if (empty($hash) || !isset($user_row['user_passwd_salt'])) + if (empty($hash) || (strlen($hash) != 40 && strlen($hash) != 64) || !isset($user_row['user_passwd_salt'])) { return false; }